Answers and Explanations
- C. By using a virtual machine (which is one example of a virtual instance), any ill effects can be compartmentalized to that particular virtual machine, usually without any ill effects to the main operating system on the computer. Patching a computer does not automatically patch virtual machines existing on the computer. Other virtual machines can be compromised, especially if nothing is done about the problem. Finally, virtual machines can definitely be affected by hacking techniques. Be sure to secure them!
- A. Virtualization enables a person to install operating systems (or applications) in an isolated area of the computer’s hard drive, separate from the computer’s main operating system.
- C. The Network and Sharing Center is where you can disable file sharing in Windows 7. It can be accessed indirectly from the Control Panel as well. By disabling file sharing, you disallow any (normal) connections to data on the computer. This can be very useful for computers with confidential information, such as an executive’s laptop or a developer’s computer.
- A. To hide ntldr you need to enable the Hide Protected Operating System Files checkbox. Keep in mind that you should have already enabled the Show Hidden Files and Folders radio button.
- A. and B. Two ways to harden an operating system include installing the latest service pack and installing Windows Defender. However, virtualization is a separate concept altogether; it can be used to create a compartmentalized OS, but needs to be secured and hardened just like any other OS. PHP scripts will generally not be used to harden an operating system. In fact, they can be vulnerabilities to websites and other applications.
- B. NTFS is the most secure file system for use with today’s Windows. FAT and FAT32 are older file systems, and DFS is the distributed file system used in more advanced networking.
- A. The convert command is used to upgrade FAT and FAT32 volumes to the more secure NTFS without loss of data. HPFS is the High Performance File System developed by IBM and is not used by Windows. NFS is the Network File System, something you would see in a storage area network.
- D. NTFS and FAT32 support the same number of file formats, so this is not an advantage of NTFS. However, NTFS supports file encryption, larger file sizes, and larger volumes, making it more advantageous in general in comparison to FAT32, and is capable of higher levels of security, most especially down to the file level.
- D. The biggest risk of running a virtual computer is that it will go offline immediately if the server that it is housed on fails. All other virtual computers on that particular server will also go offline immediately.
- D. The beauty of a virtualized browser is that regardless of whether a virus or other malware damages it, the underlying operating system will remain unharmed. The virtual browser can be deleted and a new one can be created; or if the old virtual browser was backed up previous to the malware attack, it can be restored. This concept applies to entire virtual operating systems as well, if configured properly.
- D. The System State needs to be backed up on a domain controller to recover the Active Directory database in the future. The System State includes user data and system files but does not include the entire operating system. If a server fails, the operating system would have to be reinstalled, and then the System State would need to be restored.
- C. A patch can fix a single security issue on a computer. A service pack addresses many issues and rewrites many files on a computer; it may be overkill to use a service pack when only a patch is necessary. You might obtain the patch from a support website. A baseline can measure a server or a network and obtain averages of usage.
- C. Often, operating system manufacturers such as Microsoft refer to the attack surface as all the services that run on the operating system. By conducting an analysis of which services are necessary and which are unnecessary, an administrator can find out which ones need to be disabled, thereby reducing the attack surface. Service packs, antivirus software, and network intrusion detection systems (NIDSs) are good tools to use to secure an individual computer and the network but do not help to reduce the size of the attack surface of the operating system.
- A., B., and C. After installing an operating system, it’s important to install the latest service pack, patches, and a firewall. These three methods can help to secure the operating system. However, remote desktop support programs can actually make a computer less secure and should be installed only if the user requests that functionality.
- A. Virtualization of computer servers enables a network administrator to isolate the various network services and roles that a server may play. Analyzing network traffic would have to do more with assessing risk and vulnerability and monitoring and auditing. Adding network services at lower costs deals more with budgeting than with virtualization, although, virtualization can be less expensive. Centralizing patch management has to do with hardening the operating systems on the network scale.
- C. Patch management is an example of verifying any new changes in software on a test system (or live systems for that matter.) Verifying the changes (testing) is the second step of the standard patch management strategy. Application hardening might include updating systems, patching them, and so on, but to be accurate, this question is looking for that particular second step of patch management. Virtualization is the creating of logical OS images within a working operating system. HIDS stands for host-based intrusion detection system, which attempts to detect malicious activity on a computer.
- B. and D. Updating the host-based intrusion prevention system is important. Without the latest signatures, the HIPS will not be at its best when it comes to protecting against malware. Also, disabling unused services will reduce the attack surface of the OS, which in turn makes it more difficult for attacks to access the system and run malicious code. Disabling the data leakage prevention device would not aid the situation, and it would probably cause data leakage from the computer. Installing a perimeter firewall won’t block malicious software from entering the individual computer. A personal firewall would better reduce the attack surface of the computer, but it is still not meant as an anti-malware tool. Updating the NIDS signatures will help the entire network, but might not help the individual computer. In this question we want to focus in on the individual computer, not the network. In fact, given the scenario of the question, you do not even know if a network exists.
- A. The best way to establish host-based security for your organization’s workstations is to implement GPOs (Group Policy objects). When done properly from a server, this can harden the operating systems in your network, and you can do it from a central location without having to configure each computer locally. It is the only answer that deals with the client operating systems. The other answers deal with database and web servers, and firewalls that protect the entire network.
- B. Of the answers listed, the only one that will not show the version number is wf.msc. That brings up the Windows Firewall with Advanced Security. All of the other answers will display the version number in Windows.
- A. If you migrate some of these low-resource servers to a virtual environment (a very smart thing to do), you could end up spending more on licensing, but less on hardware, due to the very nature of virtualization. In fact, the goal is to have the gains of hardware savings outweigh the losses of licensing. Load balancing and clustering deals with an OS utilizing the hardware of multiple servers. This will not be the case when you go virtual, nor would it have been the case anyway, because clustering and load balancing is used in environments where the server is very resource-intensive. Baselining, unfortunately, will remain the same; you should analyze all of your servers regularly, whether they are physical or virtual. These particular servers should not encounter latency or lowered throughput because they are low-resource servers in the first place. If, however, you considered placing into a virtual environment a Windows Server 2012 that supports 5,000 users, you should definitely expect latency.
Case Studies for Chapter 3
The case studies in this chapter offer generic scenarios for you to read through and answer according to your own technology and experiences. At the end of the section are example solutions. Your solutions will vary in comparison to the book, but both can certainly be valid. Many case study solutions also point to hands-on videos and simulations, which can be found on the book’s disc.
Case Study 3-1: Discerning and Updating the Service Pack Level
Scenario: You have been tasked with finding out the service pack level of a Windows 7 computer and updating it if necessary. You must also configure the Windows Update program in such a way that you will be notified of new updates but they will not be downloaded until you decide to do so, in keeping with your company’s policies.
Usually an organization will choose to have the latest service packs installed for every Windows system, and the latest patches for other operating systems. It’s important to be able to recognize whether a computer is up to date. Try and locate the service pack level for your version of Windows, and attempt to find out the version numbers for any other computing devices you might possess. Enter your results in Table 3-3. Afterward, define how you would go about configuring Windows Update, and what option you would choose.
Table 3-3 Operating System and Version Responses
Example: Windows 7
Example: SP1 (version 6.1.7601)
Case Study 3-2: Securing a Virtual Machine
Scenario: Now that you have installed virtual machine software, and created a new VM, you are required to secure it. Your task is to disable unnecessary virtual hardware and secure the virtual BIOS.
Virtual machines that are contained within a Type 2 host are sort of like a computer within a computer. Consider writing down exactly what you are configuring. Try to do this in an illustrative nature. Or, consider using a network documentation program such as Visio. As you progress in the virtual world, you will be using more and more virtual computers, and will connect to them in a variety of remote ways. The more you document what it is that you are doing, the better you will understand your virtual environments.
Within your virtual software, disable the sound card, COM ports, LPT ports, and floppy disks (if any exist). This is done in the properties (or settings) of the virtual machine. Secure the BIOS by modifying the BIOS boot order, disabling unnecessary hardware, and setting an administrative (supervisor) password.
Case Study 3-3: Stopping Services in the Command-Line
Scenario: You have found that working in the GUI is good, but working in the command-line can be better. Besides, you almost always have a CLI (command-line interface) open, and you can type quickly, so it makes sense to use the CLI as often as possible. You know that unnecessary services can be vulnerabilities to your systems, so you decide to reduce the size of the attack surface by stopping and disabling services—and do this from the CLI.
Demonstrate that you can stop services in the Windows Command Prompt (such as the Windows Firewall), as well as services in the Linux CLI (such as an Apache web server if installed). Specific commands and syntax will vary depending on the version of the operating system you are working in.
Case Study Solutions
Case Study 3-1 Solution
To find out the service pack level of Windows 7, navigate to Start, then right-click Computer and select Properties. This displays the System window and should show the Windows edition, as well as the service pack level. If no service pack is listed, then none is installed, and is known as service pack 0. Other versions of Windows use similar navigation to find out the service pack level. To update to the latest service pack for a given Windows operating system, go to http://support.microsoft.com/ and search the relevant phrase, such as “Windows 7 SP1.” Latest service packs can be downloaded directly from the website. An organization might also use an optical disc to update individual computers or, if there are a lot of computers, stream the service pack update over the network.
Service packs are large groups of patches and updates. But they are static, meaning after one is released, it remains the same. So, additional updates are always necessary. By default this is taken care of by Windows Update. To modify the Windows Update settings, choose Start > All Programs > Windows Update. Then click the Change Settings link. Click the drop-down menu under Important Updates to select the correct setting. In this scenario it was “Check for updates but let me choose whether to download and install them.” This is a good solution for an individual computer, giving the user a good amount of control over what is installed. However, it probably wouldn’t be the best solution in an organization, and it is more likely that updates would be streamed across the network with a centralized solution such as SCCM.
Keep in mind that some computers will need to be updated beyond the service pack, and beyond what is automatically downloaded from Windows Update. Patches for specific problems are known as hotfixes. It is important to know how to acquire these hotfixes (also known as update rollups). They are usually found at the Microsoft Support website and are listed by Knowledge Base (KB) number. For example, one hotfix that repairs a memory leak in Windows 7 SP1 can be found at the following link: http://support.microsoft.com/kb/2911106.
It is article number 2911106 in the Microsoft Knowledge Base. It actually fixes a lot of documented issues, and can be an important fix for various Windows operating systems in addition to Windows 7 SP1. Over time, these hotfixes are gathered together in automatically downloaded Windows Update groups (if it is deemed necessary), and ultimately are added to newer service packs.
Case Study 3-2 Solution
Virtualization security is vital. VMs should be secured the same way that a regular operating system is secured. However, the VM itself (and the virtual hosting software) can be further secured by disabling virtual hardware, both within the virtual machine settings and within the virtual machine BIOS.
This solution utilizes a Windows 7 hosting computer and assumes that you have already downloaded and installed Microsoft Virtual PC 2007, created a virtual machine, and installed an OS. Basic steps follow below. Be sure to watch the accompanying video solution as well.
Step 1. Check the Microsoft Virtual PC 2007 software SP level from Control Panel > Programs > Programs and Features. If necessary, upgrade to the latest SP from the following link: www.microsoft.com/download/en/details.aspx?displaylang=en&id=24439
Step 2. Set security options in the Virtual PC console from File > Options > Security.
Step 3. Disable unnecessary hardware within the Virtual PC console for the VM in question. For example, the sound card, COM ports, LPT ports, and floppy disks.
Step 4. Start the virtual machine and secure the virtual BIOS. Modify the BIOS boot order, disable unnecessary devices, and configure an administrative password.
Step 5. Start the virtual machine and check the SP level of the virtual OS.
Step 6. Disable unnecessary hardware in the Device Manager of the VM.
Step 7. Remove any network sharing connections between the VM and the physical host.
Step 8. (Optional) Exit the VM and secure the folder on the host OS that contains the VM files.
Case Study 3-3 Solution
Stopping services is an extremely important skill for a security administrator (not to mention for the Security+ exam). As an IT person, you should feel at home in the command-line. Running commands, scripting, and testing network connections are all part of a day’s work in the computer world. From a security standpoint, some things that cannot be accomplished in the GUI can be performed in the command-line.
To stop a service such as the Windows Firewall in Windows, use the following syntax:
net stop mpssvc
sc stop mpssvc
To stop a service in Linux (for example, stopping the udevmonitor service in Ubuntu), use the following syntax:
sudo stop udevmonitor
Be prepared to enter the administrator password because you have invoked the sudo option.